Reputation: 1052
Kubernetes Pod Security Policy Default Privileged Value
I am learning more about Kubernetes Pod Security Policies, and while going through the list of fields, I could not find the default value for the Privileged flag. Is this value dependent on the container runtime used? For example, Docker containers have this value set to false by default, so if I had a Kubernetes cluster with only Docker containers, would all the pods be unprivileged?
Upvotes: 3
Views: 1415
Answers (2)
Reputation: 254
In a fresh cluster the default PSP is very permissive which means that you pretty much anything is allowed. So the default would be to allow privileged containers if the privileged flag was toggled on the pod, same with root users, etc.
You will have to explicitly turn set the flag to true in the PSP if you want to enforce it. I believe this is true regardless of the Container runtime being used, works with Windows containers too :)
Upvotes: 3
Reputation: 6036
There is a privileged flag on the SecurityContext of the container spec. The default is false.
Foreexample by below template you can set it to true.
apiVersion: v1
kind: Pod
metadata:
name: hello-world
spec:
containers:
- name: hello-world-container
# The container definition
# ...
securityContext:
privileged: true
Upvotes: 2
Related Questions
- Setting AllowPrivilegeEscalation:false
- How can I start a pod in privileged mode from a manifest?
- kubernetes: how to set "top node" and "top pod" permissions?
- How can I add the `--privileged` flag of Docker to a Kubernetes pod spec container YAML definition
- Kubernetes: My PodSecurityPolicy is not working or misconfigured
- Kubernetes Pod Security Policies
- Unable to override default Pod Security Policy in GKE
- Pod Security Policy not working as intended
- kubernetes/kops: Default user and permissions
- Kubernetes pod having containers of different privileges